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Abstract 


This paper proposes the first idcal untraccable electronic cash system which solves 
the most crucial problem inherent with real cash and all previous untraceable electronic 
cash systems. The main advantage of the new system is that the customer can subdivide 
his cash balance, C (dollars), into many pieces in any way he pleases until the total 
value of all subdivided piece cquals C. This system can be implemented efficiently. In a 
typical implementation, the data size of one picce of electronic cash is less than 100 bytes 
regardless of the face value of picce, the computation time for cach transaction is several 
seconds, assuming the existence of a Rabin scheme chip. The security of this scheme relies 
on the difficulty of factoring. 


1 Introduction 


Electronic cash is one of the most important applications of modern cryptology because 
an electronic moncy (cash) system will be widely installed in the near future; smart cards 
will become electronic wallets storing clectronic cash. The sccurity of real cash heavily 
depends on physical propertics such as the difficulty of reproducing bills and coins. The 
security of electronic cash systems cannot depend on any physical condition, but must 
be guarantecd by mathematics. IIcre, cryptographic techniques are essentially used to 
guarantee security. Then, information itself has a value, and electronic cash can be 
transfered through networks. 

What then is the ideal cash system? The criteria describing the ideal cash system are 
as follows: 


(a) Independence: The security of electronic cash cannot depend on any physical 
condition. Then the cash can be transfered through networks. 
(b) Security: The ability to copy (reuse) and forge the cash must be prevented. 


(c) Privacy ( Untraceability): The privacy of the user should be protected. That 
is, the relationship between the user and his purchases must be untraccable by 
anyone. 


(d) Off-line payment: When a user pay the electronic cash to a shop, the procedure 
between the user and the shop should be exccuted in an off-line manner. That 
is, the shop does not need to be linked to the host in user’s payment procedure. 
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(e) Transferability: The cash can be transfered to other users. 


(f) Dividability: One issued picce of cash worth value C (dollars) can be subdivided 
into many pieces such that each subdivided piece is worth any desired value 
less than C and the total value of all pieces is equivalent to C. 


Several electronic cash systems have been proposed by [Ch, Da, PW, EGY, OkOh2, 
CFN, OkOh1]. The security of the electronic cash system by [EGY] depends on a phys- 
‘cal condition. Therefore, [EGY] does not satisfy criterion (a). There are two types of 
electronic cash systems satisfying criteria (a), (b) and (c); on-line untraceable electronic 
cash systems, and off-line untraceable electronic cash systems. 

Some on-line untraceable electronic cash systems have been proposed by (Ch, Da, PW 1, 
which satisfy criteria (a) through (f) except criterion (d). However, the on-line cash 
systems arc not practical from the viewpoints of turn-around-time, communication cost, 
and database-maintainance cost. Therefore, the off-line cash systems are preferable from 
the practical viewpoint, although they are technically difficult to construct. 

An off-line untraceable electronic cash system satisfying criteria (a), (b), (c) and (d) 
was firstly proposed by [CEN], based on the cut-and-choose methodology and a collision 
free one-way function technique. An electronic cash system satisfying criteria (a), (b), (c), 
(d) and (e) was then proposed by [OkOh1]. In [OkOh1], the disposable zcro-knowledge 
authentication scheme is used in place of the collision free function technique in [CFN]. 

In (OkOh1], an electronic coupon ticket system was also proposed, in which one piece 
of electronic cash can be subdivided into many pieces whose values are all equivalent. In 
this system, however, if a customer pays for an article with cents, the store receives an 
enormous number of one-cent electronic coupon tickets from the customer (for example, 
when the price of the article is $356.27, the store receives 35627 electronic coupon tickets, 
where the data size of each ticket is several kilobytes. So, the store receives about 200 
megabytes of data for purchasing just one article.) Therefore, no electronic cash systcm 
satisfying criterion (f) as well as the other criteria (a) through (c) has been proposed so 
far. 

It must be noted that even the real cash system cannot satisfy criterion (f). This is the 
reason why we must hold many bills and coins in our wallets. On the other hand, other 
typical exchange systems such as bank notes and credit cards do not satisfy criteria (a) 
and (c). Prepaid cards such as telephone cards do not satisfy criterion (a), although they 
almost satisfy critria (b) through (f). Therefore, we do not have the ideal cash system so 
far, either electronic or real. 

In this paper, we propose the first electronic cash system that satisfies all six criteria. 
That is, this system is the first version of the ideal cash system. Morcover, the new system 
is more efficient and practical than any previous system even if we restrict the comparison 
to the two criteria (a) through (d). 

Our scheme uscs the cut-and-choose methodology as all previous schemes. The new 
key techniques of our scheme are the square root molulo N (N is the Williams integer), 
and the hierarchical structure table. The former is used mainly for criteria (a) through 
(e) (or in place of the techniques such as the collision free function [CF'N], and disposable 
zero-knowledge authentication (OkOh1]. The latter combined with the former is used for 
criterion (f), where the hierarchical structure table corresponds to the structure of the 
cash system. 

This paper is constructed as follows: First, in section 2, we will introduce the back- 
ground of the key techniques including the number theoretic conventions, and the hicrar- 
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chical structure table of the cash system. In section 3, we will propose the basic version 
of our electronic cash system. Section 4 explains how electronic credits can be transfered 
to another customer. Section 5 estimates the properties of the electronic cash system. 


2 Preparations 


2.1 Number Theoretic Conventions 


Definition 2.1 N is called the Blum integer [Bl] if N = PQ (P,Q are prime) and P = 3 
(mod 4), and Q =3 (mod 4). 

N is called the Williams integer [W] if N = PQ (P,Q are prime) and P =3 (mod 8), and 
Q =7 (mod 8). Note that the Williams interger is a specific type of the Blum integer. 
So, the Williams integer has all properties of the Blum integcr. 


Let (2/N) denote the Jacobi symbol, when N is a composite numbcr, and denote 
the Legendre symbol, when N is a prime. When N = PQ (P,Q are prime), we can 
classify Zx, into four classes; Za) = {z € Zi | (2/P) =1,(z/Q) = 1} Za-y = {z € 
Zu | (2/P) = 1,(2/Q) = -1}, Za = {2 € Zh | (2/P) = -1,(z/Q) = 1), and 
Z-1.-1) = {2 € Zy | (2/P) =—1,(2/Q) = 1). 

Clearly, Z,1) denotes the set of quadratic residuc intergers in Z},. Hereafter, we often 
write QRy as Za), and QN Ry as the other classes. 


Proposition 2.2 Let N be the Blum integer, and z € QRy. Then, for any integer t 
(1 <t), there are four values y;, y2, y3, y4 such that y? =z (mod N) and that y: € Za), 
y2 € Z,-1), ¥3 © Z-1,1)) Ya © Z-1,-1)- 

In addition, y, = —y4 (mod N), yz = —y3 (mod N), (y,/N) = (ys/N) = 1, and 
(y2/N) = (ys/N) = -1. 


The above proposition immediately implies that four valucs of 2'-th root y of z can 
be uniquely determined by two bit information; onc is whether (y/N) = 1 or —1, and the 
other is whether y < N/2 or not. In other words, when y < N/2, there are two values of 
y, one of which is (y/N) = 1 and the other is (y/N) = —1. 

2/2" mod N (1 < t) can be computed efficiently (in expected polynomial time) from 
z,P,Q [R, Ber], and (y/N) can also be computed efficiently from y and N, while to 
compute z'/" mod N from z and N is as difficult as factoring N [R]. 


Proposition 2.3 Let N = PQ be the Williams integer. Then, for any x € Zj,, either 
one of z,—z,2z and —2z is in QRy. In addition, when az € QRw (a is either 1, —1,2, 
or —2), bz is not in QRw (b# a, and b is either 1,—1,2, or —2). 


The above proposition is easily proven by the following result; 
(-1/P) a —1,(-1/Q) = —1, (2/P) = —1,(2/Q) = 1. 
Definition 2.4 Let N be the Williams integer, and x € QRy. 
1/2! 


{z mod Nlgr =y 
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such that y? =z mod N andy € QRn. (1 < +) 
(c'/" mod N], = 9’ 

such that y' =< mod N, (y'/N) =1 and0< yi < N/2. (1 <4) 
jv! mod NJ = y" 


such that y’* = 2 mod N, (y"/N) = —1 and0 <y" < N/2. (1 <8) 
Let N be the Williams integer, and z € Zy. 


< z >gr= dz mod N 
such that d € {+1,+2} and dz mod N € QR. 
< z > = d’z mod N 
such that d’ € {1,2} and (d’z/N) =1. 
<2 >= d"z mod N 


such that d” € {1,2} and (d"z/N) = —1. 


From the properties of the W iiams number (and the Blum number), each value of 
yyy", 4,d',d" is uniquely determined respectively. 


2.2 Hierarchical Structure Table 


In our cash system, the hierarchical structure table plays an important role because it 
allows the issued electronic bill C to be subdivided into many pieces such that each 
subdivided piece is worth any desired value less than C and the total value of all pieces 
is equivalent to C. 

The hierarchical structure table is a tree of ¢ levels, in which cach node has two sons, 
the unique root node exists at the top of the tree. So, there are 2'~! nodes at the i-th 
level. 

Here, we show the significance of the tree in our cash system. For easy understanding, 
we use a simple example, where the tree has three levels, and the value of the issucd bill 
C is $100. The nodes of the i-th level correspond to $100/2'~'. So, the customer can use 
the bill in $25 increments, since the nodes of the bottom level (the third level) correspon 
to $25 (see Figure 1). 

We give two restrictions to the usage of the bill with relating to the tree as follows: 


1. The value corresponding to a node, N, is the total of the values corresponding to 
nodes that are the dircct sons of NV. 


2. When a node (the corresponding value) is used, all descendant nodes and all ancestor 
nodes of this node cannot be used. 


3. No node can be used morc than once. 
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We show the case when customer Alice uses $75 first and then uses $25. When she 
uses $75, she must use node Too ($50), and node Toto ($25). From the above restrictions, 
only Tou ($25) can be used after the use of T'o9 and Toto (see Figure 2). 

More gencrally, if Alice wants to use a pill worth $1000 by the cent, she would need a 
hierarchical structure table of 17 levels (log, 100000 = 16.5). She would then use about 8 
nodes in average (minimum: one node; maximum: 16 nodes) in order to pay by the cent 
for each purchase (e.g., $334.36 payment). 

Morcover, in our concrete cash scheme that will be shown in the following scctions, 
we need two hierarchical structure tables (T table and A table); [ table is used to realize 
the first restriction, and A table to realize the second restriction. I’ table and A table 
have the same structure such that they are trees with the same topology (or the same 
number of layers), and that Tj, ...j, and Aj,...j, both correspond to the same position node 
(Nodej,...;,) of the money structure table. In the example of Figures 1 and 2, T'oo and Aoo 
correspond to the same position node, the left node of $50, of the money structure table. 


$100 


$50 $50 


$25 $25 $25 $25 


Figure 1: Hierarchical Structure Table (Moncey Structure) 


To 
The Ist level —— 
The 2nd level ——~ Too To. 
The 3rd level —~ 
Too Toot Poio Tou 


Figure 2: Hierarchical Structure Table (T Table) 
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3 Basic Universal Electronic Cash Scheme 


In this section, we introduce the basic universal electronic cash scheme which satisfies the 
five criteria ((a) through (f} except (c)(Transferability)). 


3.1 Protocol 


Protocol 1 (Basic universal electronic cash): 


For blind digital signatures[Ch], bank A has &enerated keys of the RSA scheme; 
(e4,n4;d4), (ey, nis d4), (eA id a0, where (e4,na),(e4y,n4), ++. are public keys, 
and d4,d‘,,... are the corresponding secret keys. A has published (e4,n,), (e4, 7's), (e%4, 
ni,)y+++) Where (€4,7,) corresponds to the electronic license that A issues, and (e/,,7’,), 
(e4,74),--. correspond to the value of the electronic bill that A issues. For example, 
$100 corresponds to (e4,n,), and $500 corresponds to (e4,n"), etc. Bank A also scts the 
security parameter = O(|nal) = O(|n4)) =... (for example, = 40). 

A has also published three randomized hash functions, fr, fa, fa, to gencrate the 
hierarchical structure tables, [ table and A table. Here, the function values are assumed 
to distribute uniformly (for example, the universal hash functions [CW], and pseudo- 
random gencrator). Note that the one-wayness or collision-freeness is not required for 
these functions. 

Customer P has a bank account number /Dp and has generated the key of the RSA 
scheme, (ep, np; dp), and published (ep, np) for digital signatures. 


Note 1: Any multiple blind digital signature [OkOh1] can be used in place of the RSA 
scheme for bank A above. For example, the blind digital signature scheme bascd on 
the Fiat-Shamir signature scheme [OkOh2] can be used for this purpose. Morcover, any 
digital signature scheme can be used in place of the RSA scheme for customer P above. 
For example, [F OM] can be used for this purpose. 


When a customer P opens an account at bank A, A issues an electronic license B = {B; | 
1 <i < K/2} to use the electronic cash of bank A. (Precisely, the electronic license 
is (B, {Ji, Ni}, L). For simplicity, however, we simply call it B.) To get B, P conducts 
the following protocol with A. This procedure is executed only once when P opens the 
account, unless P uses the electronic cash invalidly, 


Step 1: Customer P chooses a random value a;, and the Williams integers N; with two 
large prime factors P,Q: (N; = P.Q:), where P; = 3 (mod 8) and Q; = 7 
(mod 8), fori = | ere a 

Step 2: P forms and sends ji’ blind candidates Wei =1,..., J’) to bank A. 


Wi = rfAg(J; || Nj)modn4 for 1 <i < K, 
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where r; € Z,, is a random integer, g is an appropriate one-way hash function, 
and 


Si = IDp || a; || (g(7Dp || «;))?” mod np, 


= Sig | S235 
Ges St, mod N;, [2 = 53; mod N;, 
L; = N14 || Joy. 


Here, || denotes the concatenation. 

Step 3: A chooses a random subsct of K/2 blind candidates indices U = 1) tS ok 
for 1 <j < K/2 and transmits it to P, 

Step 4: P displays the ai, Pi, Qi, (g(1Dp || a;))4? mod np, [Dp, r; for alli in U, then A 
checks them. If they are not valid, A halts this protocol. To simplify notations, 
we will assume that U = {N/2 +1, K/2+2,...,K}. 

Step 5: A gives P 

K/2 
(TI 1¥:)% mod ny. 


i=] 


Step 6: P can then extract the electronic license B = (mi? 9G || Ni))?4 mod n4. 


Part II. 


When customer P wants bank A to issue an electronic bill worth $100, C, which corre- 
sponds to (e’,,n’,), P conducts the following protocol with 4 


Step 1: P chooses a random valuc b, forms and sends Z to A. 
Z = 1r°4g(B || b) mod ni, 


where r € Z,, is a random integer. 


Step 2: A gives Z% mod ns to P and charges P’s account $100. 
Step 3: P can then extract the electronic bill C = (9(B || b))¢4 mod n',. 


Part III. 


To pay a shop V a certain amount of money, P? and V proceed as follows: 

First, for easy understanding, we will show a simple example of this protocol, when P 
pays $75 to V based on the hierarchical structure table of three levels, as was shown in 
subsection 2.2. Here, we assume that P has received $100 bill C from Bank A in Part IL 


Step 1: As the preliminary stage of Part III, P computes the value of [9 (i = 1,..., K’/2) 
as follows: 


Tio =< fr(C I 0 | N;) -Qr. 
(See Subsection 2.1 for the notation of <>gn.) 


Step 2: When P decides to pay $75, first P computes Xi,00 (corresponding to $50) and 
Xi,o10 (corresponding to $25) ((=1,..., K/2) as follows: 


Xj,00 = (ris mod N,]_; 
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Xjo10 = (0? Ti0)'® mod Nij-i- 


Here, Q30 =< fa(C || 0 |] Ni) >1- 
P sends (Ij, Ni, Xioo, Xioio ) (2 = 1,--- ,K/2) and (B,C) to V. 


Note: The above calculation of Xj,o0 and Xio10 is based on the following 
algorithm: 


Xi,o0 am Pio mod NiJ-1, 
Xi,010 = (rad mod Nij-1, 


where 
Ti00 = [Ti¢ mod Nilor 


Dion = (Moi. mod Nilor 
Tio10 = er mod Nilor 
Here, summarizing the algorithm, first, the I table of the correponding nodes 


(Ti,00, F';,o10). are calculated, then the square roots of these valucs in QN R (these 
Jacobi symbol values are —1) are Xj,00 and X;,o10- 


Tio 


Tio = 0075 
Qi,o1 


T,000 Tj,001 T,o10 Tiou 


l | ! 


Tie 001 00 Tio QT 
Figure 3: Node Values of ! Table (Three Layer Example) 


Step 3: V verifies the validity of the signatures B for {(Ii, N,)}, and C for B. V computes 
Qio, fr(C || 0 || Ni) then verifies the validity of Xio0 and Xi,o10 (i= 1,...,4/2) 
such that 

(Xj,00/Ni) = (Xio10/Ni) = —1, 
Xio0 = dj fr(C \| 0 | N;) mod N; 
XPo10 = di Qofr(C {| 0 || Nj) mod Ni, 
where d; € {+1,+2} (i = 1,...,4/2). If they are valid, V selects random bits, 
E;o0, Eioio € {0,1} (¢ = 1,...,4/2), and sends them to P. Otherwise V halts 


this protocol. 
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Step 4: P computes 
¥i,00 = iG mod Ni}(_1)8.005 


Yio10 = [AM mod Ni}(—1)2010. 
and sends (¥;,00, ¥i.o10) (t=1,...,A/2) to V. Here, 
Nico =< fa(C || 00 |] Mi) >gr, 


Aiow =< fa(C |] 010 || N;) >on. 
Step 5: V verifies that 


(¥i,o0/Ni) = (—1) "9°, (Yio10/Ni) = (-1) "4, 
¥io0 = 4: fa(C |] 00 |] N,) mod Nj, 


YG = d! fx(C l 010 | N,) mod N,, 


where did! € {+1,+2} (§=1,..., 4/2). If verification succeeds, V accepts P’s 
messages as $75 from electronic bill C, 


Next, we show the protocol of Part III in gencral cases. IIcre, we assume that I table 
has more than ¢ levels, and that the node corresponding to the value of P’s payment to 
V is Ts,_j (and Aj,_j,), where j,... rJt € {0,1}. Usually, there are several nodes which 
correspond to the payment (e.g., in the above simple example, two nodes form P's $75 
payment). Then, the following protocol of each node must. be executed simultancously, 
in the same manner as the above protocol, which has two nodes. 


Step 1: This preliminary stage of Part III is the same as the above protocol. 
Step 2: When P determines the node, D’j,..3 (and A;,._;,), corresponding to the payment, 


r 


P computes X; j,..,5 


gt=2; 


ea jp = (a3 rams nf? Tig)? mod NN 21% 


Wrejean agp jy a 


where 24 5,5 =< fa(C |] jr | -- Il ae I] NG) >. 
P sends (1;, Ni, Xj j,..5,) (t= 1,..., 4/2) and (B,C) to V. 
Note: The above calculation of Xi, is based on the following algorithm: 


Nie. = (ri? mod NiJ-1, 


TJaose 
where 
Desig = [oes she mod Nilar. 
Step 3: V verifies the validity of the signatures B for {(7;,N;)}, and C for B. V computes 
2:58 Cf jay = 1) then verifies the validity of tae ok eal eee W19 such 
that 


(Nig, f Ni) = 1, 
72t f= 1 5, t-25 : 
Nites = diQF's, Bahri ae 272 fr(C I 0 I Ni) mod Nj, 
where d; € {1,42} (i = 1,... , 4/2). If they are valid, V selects random bits, 


Fijy ni € {0,1} (f= 1,..., 4/2), and sends them to P. Otherwise V halts this 


protocol. 
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Step 4: P computes 
Vise = [AlGt.j, mod Nijy_ ye 


tdpede tapecse? 


Here, 
Aijing =< Fa(C lai fl --+ Wael Ni) Dea - 
Step 5: V verifies that 
Y/N Sere 


Yennie = GEC || a1 Ul +++ Ul de |] Ni) mod Ni, 


where d. € {41,42} (¢ = 1,...,4/2). If verification succeeds, V accepts P’s 
messages as payment of the amount due. 


Note: To prevent bank A from crediting an invalid shop’s account in Part III, we can 
enhance the protocol as follows: IIcre, we simply write E; as E;,;,...;,. V selects a random 
value E, and sends V’s identity J Dy, time T, and Ej (i = 1,...,./2) to P in place of 
sending &;. V computes (£},..., Exy2) = h(IDy || T || Ly +++ Exj2), where A is a one-way 
function whose output is uniformly random. P also computes E; (1 = 1,..., 4/2). 
Part IV. 
For bank A to credit V’s account by the appropriate amount, V sends the history of Part 
III of this protocol, H, to A, which credits V’s account. After checking the validity of H, 
bank A must store H in its database. If A finds an invalid payment, A reveal the secret 
information S; of costomer P who is responsible for the invalid payment from /T and the 
related history. 

(End of Protocol 1) 


Note 1: Since bank A has already known K/2 pieces of S; in Part I (e.g., Siyesis 


ve SK), (K/2 + 1) pieces of S; shown by A are the evidence of the invalid payment by a 
customer. 


Note 2: Bank A can store H with dividing it into two parts, H, and H>. Hj is used to 
check the invalid payment, and Hy is to compute S; when A finds an invalid payment. Hy, 
consists of the hashed value of C and the nodes corresponding to the payment. Iere, the 
hashed value of C is the searching key in the database, and //, can be very short (c.g, 10 
bytes). On the other hand, Hz is almost same as H, and is pointed from H;. Therefore, 
H, can be stored in a database which is easy of access, while JI, can be stored in a device 
such as a magnetic tape and a laser disk, which is not easy of access but has big capacity. 
H, and H (especially Hz) can be stored in a distributed manner. 


3.2 Correctness 


Here, we show bricfly that Protocol 1 satisfies the five criteria of (a) Independence, (b)Security, 
(c\ Privacy, (d\Off-line payment, and (f) Din*4chility. Among them, criteria (a) and (d) 
are clearly satisfied. Therefore, we show that the other three criteria are satisfied. 


e Privacy: First, if the customer accuratcly follows the protocol, even the coalition 
of bank A and store V cannot get any knowledge about the identity of P with 
non-negligible probability, assuming that factoring is difficult for A and V. 


*. 
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© Dividability: As shown in Subsection 2.2, if three restrictions on the usage of the 
hicrarchical structure table arc satisfied, then the dividability condition is satisfied. 
(In the next item (security), we will show that the second and third restrictions are 
securely realized. The first restriction can be clearly realized as a protocol.) Then, 
when J is the ratio of the value of an clectronic bill, C, (e.g, $1000) to the minimum 
unit of payment (e.g., 1 cent), then the processing and communication amounts for 
payment arc in proportion to log, R. 


© Security: First, we show that the third restriction of the hierarchical structure table 
(Subsection 2.2) is securely realized. If customer P uses any part of C (any node 
of the hierarchical structure table of C) more than once, bank A can obtain the 
identity of P with overwhelming probability, since the Williams integer N can be 
factored in polynomial-time from [x!/? mod N], and [z!/? mod N]_;, and since V 
challenges P randomly using A table, along with the cut-and-choose methodology. 
Next, we show that the second restriction of the hierarchical structure table (Sub- 
section 2.2) is securely realized. Here, for easily understanding, we use the simple 
example, where the value of C is $100, and P pays $75 to V (Figure 1, 2, and 
3). Note that the cut-and-choose methodology is also implicitly crucial in assuring 
correctness, although we omit a detailed explanation here (roughly, thanks to this 
methodology, we can assume that J;, N; are correctly generated). 
First, we show that the first restriction is satisfied: that is, when nodes Igo, Foio are 
used, then all descendant and ancestor nodes of these nodes, To, ooo, Foo1, and To, 
cannot be used. When [pg is used, P sends X;,90 = rie mod Njj-; (¢ = 1,...,4/2) 
to V (finally to A). Then, if P uses Togo, P sends Xj,o00 = te mod N;,]-1 
(i = 1,...,4/2). Since aes mod Nj}; = X?o99 mod N;, A can factor N; from 
Xi,o0 and X39 mod N; (then, the identity of P is revealed). Similarly, if T or Too1 
is used with I'g9, or if 9 or P'9; is used with [oyo, then the identity of P is revealed. 
Therefore, when I'g9, Tio are used, then T'9, Tooo, Too1, and I'gi, cannot be used, 
with concealing the identity of P. 
Finally, we show the necessity of 9, using a simple example. Assume that j,;,...j, is 
a constant value, e.g., 3. Then, in Figure 3, Co, = 3(['o)'/*, where we omitt the suffix 
of i and mod Nj, for simplicity. So, when a customer uses the nodes of log and To, 
he opens the values of Xoo = (T'o)/4 and Xo, = (3(Po)'/?)/? = 3'/2(T)'/4, where 
the jacobi symbol values of Xoo and Xo; are —1. Then, the shop can obtain 31/2 by 
calculating Xo1/Xoo, where the jacobi symbol of this value is 1. The same situation 
occurs when the customer uses the nodes of I'g99 and I991, and so on. Therefore, 
suppose that a customer uses 900, I"o01, T'oio, and Tei10, whose usage is valid. (So, 
he opens Xoo9, Xoo1, Xo10, and Xo119-) Then, the shop can calculate A = 31/2 by 
Xoo1/Xoo0, and also calculate the value of Xo; by AXoqio. Therefore, the shop can 
factor N by using the values of You and (Xo10)*, where the jacobi symbol of Xo11 is 
—1 and that of (Xoi10)? is 1. Thus, the shop can know the customer’s ID, although 
the customer uses the nodes validly. 


4 ‘Transferable Universal Electronic Cash 


In this section, we propose an electronic cash scheme satisfying the criterion of (e) Trans- 
ferability in addition to the other five criteria. 
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Protocol 2. (Transferable universal electronic cash) 
This protocol is constructed based on Protocol 1. To simplify the description of this 
protocol, we suppose an example similar to that in Section 3, where C is worth $100, 


customer P; who has spent $75 transfers the remaining $25 to customer P2, and [2 uses 
$25 at shop V. 


Part I. 

When customers P; and P, open their accounts at bank A, A issues electronic licenses 
BY) to a customer P; (j = 1,2). Hereafter, in this protocol, r{4) means z of P;, where 
variable z follows the definition in Protocol 1. 


Part II. 


Suppose that customer P, has bank A issue an electronic bill worth $100, C. 
Part II. 


To transfer C to another customer FP, P, and P2 procceds as follows: 

(Step 1) P) takes the role of V in Protocol 1 as P, pays shop P, $25 (corresponding to 
node ['911) (Part III of Protocol 1). 

(Step 2) P; sends certification T that denotes the transfer of C from P, to P2. For example, 
P, sends a (Rabin scheme) digital signature T = (< g(C |j 011 || B® >gR)!/? mod Ni), 


Part IV. 

To pay shop V $25, P, and V proceed as follows: 

(Step 1) P; sends the history of Part III of this protocol, H™), to V. V checks the validity 
of H, 

(Step 2) P2 follows Part III of Protocol 1 with shop V to pay C. Here, P; sends V 


messages corresponding to nodes re?) and AG), 


Part V. 

To have bank A credit V’s account by $25, V sends the history of Part IV of this pro- 

tocol, H"), to A, which credits V’s account. Bank A must store H (2) in its database. 
(End of Protocol 2) 


5 Performance Estimation 


We will briefly explain an example of the new cash system implementation. Ilere we 
assume that K = 40, |N,| is G4 bytes, and the hierarchical structure table has 17 levels. 
We also assume that a bank issues a piece of cash worth $1000 to customer Alice. Alice 
can disburse her cash in any way she pleases until the total expended equals $1000. Then, 
she uses just 64 bytes of data for the electronic bill (C’) worth $1000 and her proper data 
(electronic license, B) is about several kilobytes. Thus the total amount of data is small 
enough to be stored on typical smart cards. When she buys several articles (e.g., the total 
payment for them is $334.36) at a store, her card transmits only 20 kilobytes on average. 
The computation time for generating the data representing the payment (e.g., $334.36) 
that will be sent to the store is about several seconds, assuming the existence of a Rabin 
scheme chip of 30 Kbps (kilo-bit per second). If the value of the payment is known in 
advance, the computation for the payment can be executed in advance. 
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6 Conclusion 


In this paper, we have proposed the first ideal untraccalble electronic cash system, The 
customer can subdivide his cash balance, C (dollars), into many pieces in any way he 
pleases until the total value of all subdivided piece equals C. A smart card equipped 
with a Rabin scheme chip and the distributed database system for a bank to store Hy 
and 3 should be implemented efficiently to realize the universal electronic cash system. 
From a theoretical viewpoint, it remains open to construct an unconditionally untraceable 
universal electronic cash system. 
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